SmartHawk

2.8

中危

该样本未表现出任何异常！

重新分析

下载样本

02d1241d4a6b4732bdbe1723fd77493e6386f3a373f41281d002877b67a3e5f8

02d1241d4a6b4732bdbe1723fd77493e6386f3a373f41281d002877b67a3e5f8.exe

分析耗时

73s

最近分析

388天前

文件大小

23.5KB

静态报毒动态报毒 UNKNOWN

DACN 0.12

FACILE 1.00

IMCLNet 0.49

MFGraph 0.00

引擎	描述	特征	威胁分数	可能家族	检测耗时
DACN	基于动态分析和胶囊网络的可视化恶意软件检测	API调用、DLL以及注册表的修改情况	0.12	Unknown	0.06s
FACILE	利用改进的层次胶囊网络对二进制恶意软件图像进行识别分类	二进制图像映射为的灰度图像	1.00	Unknown	0.04s
IMCLNet	轻量化深度卷积网络模型实现恶意软件家族检测	原始二进制映射而成的可视化图像	0.49	Unknown	0.24s
MFGraph	利用静态特征构建图网络以检测恶意软件	原始二进制PE文件的静态特征节点	0.00	Unknown	0.00s

未检测暂无反病毒引擎检测结果

查询计算机名称 (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1727545302.5305 GetComputerNameW	computer_name: TU-PC	success	1	0

检查进程是否被调试器调试 (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1727545285.672125 IsDebuggerPresent		failed	0	0
1727545292.4845 IsDebuggerPresent		failed	0	0

观察到命令行控制台输出 (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1727545300.03075 WriteConsoleA	console_handle: 0x00000007 buffer: ÖØÒªÐÅÏ¢:¡°netsh ·À»ðÇ½¡±ÒÑÆúÓÃ£» ÇëÊ¹ÓÃ¡°netsh advfirewall ·À»ðÇ½¡±¡£ ÓÐ¹ØÊ¹ÓÃ¡°netsh advfirewall ·À»ðÇ½¡±ÃüÁî ¶ø²»Ê¹ÓÃ¡°netsh ·À»ðÇ½¡±µÄÏêÏ¸ÐÅÏ¢£¬Çë²ÎÔÄÎ»ÓÚÏÂÁÐÎ»ÖÃµÄ KB ÎÄÕÂ 947709: http://go.microsoft.com/fwlink/?linkid=121488¡£	success	1	0
1727545300.04675 WriteConsoleA	console_handle: 0x00000007 buffer: ·þÎñÉÐÎ´Æô¶¯¡£	success	1	0

检查系统中的内存量，这可以用于检测可用内存较少的虚拟机 (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1727545292.063125 GlobalMemoryStatusEx		success	1	0
1727545302.5625 GlobalMemoryStatusEx		success	1	0

一个或多个进程崩溃 (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1727545300.1875 __exception__	exception.address: 0xab0eb1 exception.instruction: cmp dword ptr [ecx], ecx exception.instruction_r: 39 09 e8 8c 39 33 6c 8b f0 eb 14 8b c8 e8 4d bf exception.symbol: exception.exception_code: 0xc0000005 registers.eax: 40898968 registers.ecx: 0 registers.edx: 40937852 registers.ebx: 40937824 registers.esp: 19657376 registers.ebp: 19657416 registers.esi: 0 registers.edi: 40937852 stacktrace: 0xab0d05 mscorlib+0x216e76 @ 0x6ce76e76 mscorlib+0x2202ff @ 0x6ce802ff mscorlib+0x216df4 @ 0x6ce76df4 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x6f6e1b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x6f6f8dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x6f706a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x6f706a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x6f706a7d DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x6f783191 CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x6f73192f CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x6f7318cb CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x6f7317f1 CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x6f73197d DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x6f782f62 DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x6f78303c GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x6f84805a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5	success	0	0

Time & API

Arguments

Status

Return

Repeated

1727545300.1875
__exception__

exception.address: 0xab0eb1
exception.instruction: cmp dword ptr [ecx], ecx
exception.instruction_r: 39 09 e8 8c 39 33 6c 8b f0 eb 14 8b c8 e8 4d bf
exception.symbol:
exception.exception_code: 0xc0000005
registers.eax: 40898968
registers.ecx: 0
registers.edx: 40937852
registers.ebx: 40937824
registers.esp: 19657376
registers.ebp: 19657416
registers.esi: 0
registers.edi: 40937852
stacktrace:

0xab0d05
mscorlib+0x216e76 @ 0x6ce76e76
mscorlib+0x2202ff @ 0x6ce802ff
mscorlib+0x216df4 @ 0x6ce76df4
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x6f6e1b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x6f6f8dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x6f706a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x6f706a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x6f706a7d
DllRegisterServerInternal+0x4cf2b GetPrivateContextsPerfCounters-0xa76e mscorwks+0xa3191 @ 0x6f783191
CreateAssemblyNameObject+0xb7ec DllRegisterServerInternal-0x4937 mscorwks+0x5192f @ 0x6f73192f
CreateAssemblyNameObject+0xb788 DllRegisterServerInternal-0x499b mscorwks+0x518cb @ 0x6f7318cb
CreateAssemblyNameObject+0xb6ae DllRegisterServerInternal-0x4a75 mscorwks+0x517f1 @ 0x6f7317f1
CreateAssemblyNameObject+0xb83a DllRegisterServerInternal-0x48e9 mscorwks+0x5197d @ 0x6f73197d
DllRegisterServerInternal+0x4ccfc GetPrivateContextsPerfCounters-0xa99d mscorwks+0xa2f62 @ 0x6f782f62
DllRegisterServerInternal+0x4cdd6 GetPrivateContextsPerfCounters-0xa8c3 mscorwks+0xa303c @ 0x6f78303c
GetMetaDataInternalInterface+0xcf27 _CorDllMain-0x9ae mscorwks+0x16805a @ 0x6f84805a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76ee33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x775b9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x775b9ea5

success

分配可读-可写-可执行内存（通常用于自解压） (39 个事件)

Time & API	Arguments	Status
1727545285.641125 NtProtectVirtualMemory	process_handle: 0xffffffff base_address: 0x6fc91000 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545285.672125 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x0041a000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545285.672125 NtProtectVirtualMemory	process_handle: 0xffffffff base_address: 0x6fc92000 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545285.672125 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00412000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545285.750125 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00422000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545285.766125 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00423000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545285.766125 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x0045b000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545285.766125 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00457000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545285.766125 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x0042c000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545285.781125 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x005b0000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545285.844125 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00424000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545285.860125 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00425000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545285.860125 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00426000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545285.875125 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x0044a000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545285.875125 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00442000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545291.969125 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x0042a000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545292.235125 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x0041b000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3028	success
1727545292.4525 NtProtectVirtualMemory	process_handle: 0xffffffff base_address: 0x6f6e1000 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3008	success
1727545292.4845 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x0054a000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3008	success
1727545292.4845 NtProtectVirtualMemory	process_handle: 0xffffffff base_address: 0x6f6e2000 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3008	success
1727545292.4845 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00542000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3008	success
1727545292.5305 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00552000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3008	success
1727545292.5465 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00553000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3008	success
1727545292.5465 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x0058b000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3008	success
1727545292.5465 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00587000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3008	success
1727545292.5625 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x0055c000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3008	success
1727545292.5625 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00ab0000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3008	success
1727545292.5935 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00554000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3008	success
1727545292.6095 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00555000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3008	success
1727545292.6095 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00556000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3008	success
1727545292.6095 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x0057a000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3008	success
1727545292.6095 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00572000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3008	success
1727545298.8435 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x0055a000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3008	success
1727545300.2025 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00ab1000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3008	success
1727545300.2345 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x0054b000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3008	success
1727545301.1875 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x0056a000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3008	success
1727545301.1875 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x00567000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3008	success
1727545302.4055 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x047d0000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3008	success
1727545302.6555 NtAllocateVirtualMemory	process_handle: 0xffffffff base_address: 0x047d1000 region_size: 4096 allocation_type: 4096 (MEM_COMMIT) protection: 64 (PAGE_EXECUTE_READWRITE) process_identifier: 3008	success

在文件系统上创建可执行文件 (1 个事件)

file	C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe

投放一个二进制文件并执行它 (1 个事件)

file	C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe

将可执行文件投放到用户的 AppData 文件夹 (1 个事件)

file	C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe

检查系统上可疑权限的本地唯一标识符 (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1727545305.2655 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

使用 Windows 工具进行基本 Windows 功能 (1 个事件)

cmdline

netsh firewall add allowedprogram "C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" "pcbs_install.exe" ENABLE

与未执行 DNS 查询的主机进行通信 (3 个事件)

host	185.27.134.11
host	114.114.114.114
host	73.31.182.30

在 Windows 启动时自我安装以实现自动运行 (50 out of 88 个事件)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\873109f217f59daee301b7afa01452c7	reg_value	"C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" ..

连接到不再响应请求的 IP 地址（合法服务通常会保持运行） (1 个事件)

dead_host

73.31.182.30:500

288x288

224x224

192x192

160x160

128x128

96x96

64x64

32x32

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-05-05 10:04:51

PE Imphash

f34d5f2d4577ed6d9ceec516c1f5a744

Sections

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
.text	0x00002000	0x00005494	0x00005600	5.571193740238202
.rsrc	0x00008000	0x00000240	0x00000400	4.966081339698093
.reloc	0x0000a000	0x0000000c	0x00000200	0.08153941234324169

Resources

Name	Offset	Size	Language	Sub-language	File type
RT_MANIFEST	0x00008058	0x000001e7	LANG_NEUTRAL	SUBLANG_NEUTRAL	None

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

L!This program cannot be run in DOS mode.
`.rsrc
@.reloc
1  (u
v2.0.50727
#Strings
<Module>
System.Runtime.CompilerServices
CompilationRelaxationsAttribute
RuntimeCompatibilityAttribute
System
Object
Microsoft.VisualBasic.CompilerServices
StandardModuleAttribute
System.IO
FileInfo
FileStream
Microsoft.VisualBasic.Devices
Computer
System.Net.Sockets
TcpClient
MemoryStream
Conversions
ToBoolean
System.Reflection
Assembly
GetEntryAssembly
get_Location
Exception
Microsoft.VisualBasic.MyServices
RegistryProxy
ServerComputer
get_Registry
Microsoft.Win32
RegistryKey
get_CurrentUser
String
Concat
OpenSubKey
DeleteValue
ProjectData
SetProjectError
ClearProjectError
RuntimeHelpers
GetObjectValue
GetValue
RegistryValueKind
CreateSubKey
SetValue
DateTime
Operators
ConditionalCompareObjectEqual
ToString
Environment
get_MachineName
get_UserName
FileSystemInfo
get_LastWriteTime
get_Date
ComputerInfo
get_Info
get_OSFullName
Replace
OperatingSystem
get_OSVersion
get_ServicePack
Microsoft.VisualBasic
Strings
CompareMethod
SpecialFolder
GetFolderPath
Contains
RegistryKeyPermissionCheck
GetValueNames
get_Length
Convert
ToBase64String
FromBase64String
System.Text
Encoding
get_UTF8
GetBytes
GetString
System.IO.Compression
GZipStream
Stream
CompressionMode
set_Position
BitConverter
ToInt32
Dispose
IntPtr
op_Equality
op_Explicit
Interaction
Environ
Conversion
Module
GetModules
GetTypes
get_FullName
EndsWith
get_Assembly
CreateInstance
DirectoryInfo
get_Name
ToLower
CompareString
get_Directory
get_Parent
get_LocalMachine
AppWinStyle
Delete
DeleteSubKey
EndApp
System.Threading
Thread
Exists
FileMode
ReadAllBytes
System.Diagnostics
Process
EnvironmentVariableTarget
SetEnvironmentVariable
System.Net
WebClient
System.Drawing
Graphics
Bitmap
Rectangle
ConcatenateObject
get_Chars
ToArray
DownloadData
GetTempFileName
WriteAllBytes
get_Message
NewLateBinding
LateSet
LateCall
Boolean
LateGet
CompareObjectEqual
OrObject
System.Windows.Forms
Screen
get_PrimaryScreen
get_Bounds
get_Width
get_Height
System.Drawing.Imaging
PixelFormat
FromImage
CopyPixelOperation
CopyFromScreen
Cursor
Cursors
get_Default
get_Position
ToInteger
DrawImage
ImageFormat
get_Jpeg
WriteByte
RuntimeTypeHandle
GetTypeFromHandle
ChangeType
System.Security.Cryptography
MD5CryptoServiceProvider
HashAlgorithm
ComputeHash
GetCurrentProcess
get_Handle
Monitor
Socket
get_Client
SocketFlags
set_ReceiveBufferSize
set_SendBufferSize
set_SendTimeout
set_ReceiveTimeout
Connect
get_Available
SelectMode
NetworkStream
GetStream
ReadByte
ToLong
Receive
ParameterizedThreadStart
Command
ThreadStart
SessionEndingEventArgs
SessionEndingEventHandler
SystemEvents
add_SessionEnding
Application
DoEvents
set_MinWorkingSet
ConditionalCompareObjectNotEqual
CompilerGeneratedAttribute
DebuggerStepThroughAttribute
STAThreadAttribute
StringBuilder
GetProcessById
get_MainWindowTitle
DateAndTime
get_Now
get_ProcessName
Keyboard
get_Keyboard
get_ShiftKeyDown
get_CapsLock
ToUpper
get_CtrlKeyDown
Remove
avicap32.dll
kernel32
user32.dll
user32
mscorlib
lastcap
.cctor
NtSetInformationProcess
hProcess
processInformationClass
processInformation
processInformationLength
capGetDriverDescriptionA
wDriver
lpszName
cbName
lpszVer
GetVolumeInformation
GetVolumeInformationA
lpRootPathName
lpVolumeNameBuffer
nVolumeNameSize
lpVolumeSerialNumber
lpMaximumComponentLength
lpFileSystemFlags
lpFileSystemNameBuffer
nFileSystemNameSize
GetForegroundWindow
GetWindowText
GetWindowTextA
WinTitle
MaxLength
GetWindowTextLength
GetWindowTextLengthA
Plugin
CompDir
connect
_Lambda$__1
_Lambda$__2
LastAV
LastAS
lastKey
ToUnicodeEx
GetKeyboardState
MapVirtualKey
GetWindowThreadProcessId
GetKeyboardLayout
GetAsyncKeyState
VKCodeToUnicode
WrapNonExceptionThrows
_CorExeMain
mscoree.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
    <security>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>
PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
xadefg
SGFjS2Vk
pcbs_install.exe
873109f217f59daee301b7afa01452c7
73.31.182.30
Software\Microsoft\Windows\CurrentVersion\Run
Software\
yy-MM-dd
??-??-??
Microsoft
Windows
SystemDrive
netsh firewall delete allowedprogram "
Software
cmd.exe /c ping 0 -n 2 & del "
SEE_MASK_NOZONECHECKS
netsh firewall add allowedprogram "
" ENABLE
getvalue
Execute ERROR
Download ERROR
Executed As 
Execute ERROR 
Update ERROR
Updating To 
Update ERROR 
yy/MM/dd 
[ENTER]

Process Tree

02d1241d4a6b4732bdbe1723fd77493e6386f3a373f41281d002877b67a3e5f8.exe (3028) "C:\Users\Administrator\AppData\Local\Temp\02d1241d4a6b4732bdbe1723fd77493e6386f3a373f41281d002877b67a3e5f8.exe"
- pcbs_install.exe (3008) "C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe"
  - netsh.exe (2444) netsh firewall add allowedprogram "C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe" "pcbs_install.exe" ENABLE

02d1241d4a6b4732bdbe1723fd77493e6386f3a373f41281d002877b67a3e5f8.exe, PID: 3028, Parent PID: 2600

default registry file network process services synchronisation iexplore office pdf

pcbs_install.exe, PID: 3008, Parent PID: 3028

default registry file network process services synchronisation iexplore office pdf

netsh.exe, PID: 2444, Parent PID: 3008

default registry file network process services synchronisation iexplore office pdf

Hosts

IP
185.27.134.11
114.114.114.114
73.31.182.30

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255

TCP

Source	Source Port	Destination	Destination Port
185.27.134.11	21	192.168.56.101	49165

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	53179	224.0.0.252	5355
192.168.56.101	49642	224.0.0.252	5355
192.168.56.101	137	192.168.56.255	137
192.168.56.101	61714	114.114.114.114	53
192.168.56.101	56933	114.114.114.114	53
192.168.56.101	138	192.168.56.255	138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name	02d1241d4a6b4732_pcbs_install.exe
Filepath	C:\Users\Administrator\AppData\Local\Temp\pcbs_install.exe
Size	23.5KB
Processes	3028 (02d1241d4a6b4732bdbe1723fd77493e6386f3a373f41281d002877b67a3e5f8.exe)
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`58e06f93adc72d9615806e136e1d672a`
SHA1	`83d10cda42966901eea0bc76510dc34977105f6f`
SHA256	`02d1241d4a6b4732bdbe1723fd77493e6386f3a373f41281d002877b67a3e5f8`
CRC32	`33FC6F0A`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Sorry! No dropped buffers.